Employees are the most-cited culprits of infosec incidents

According to PwC’s Global State of Information Security® Survey 2015, employees have become the most-cited culprits of information security incidents – whether intentionally or not. The percentage of respondents who pointed at current employees as the cause for incidents has jumped by 10% since 2013. Moreover, 32% of the respondents of the 2014 US State of Cybercrime Survey said that insider crimes are more costly or damaging than those committed by outsiders.

Employees are often the primary target of cyber criminals, who use sophisticated techniques to manipulate individuals into helping them steal corporate or personal data.

The technical security controls organisations apply to their computer systems can do little or nothing to change the behaviour of the people responsible for data. As a result, the human factor remains one of the weakest links in information security, while cyber security awareness continues to be a big gap in many organisations’ overall security approach.

But all is not lost: there are some measures organisations can adopt to counter the insider threat.

Staff awareness

Most employees won’t harm their organisations intentionally. If they become the cause of an incident, this will be most likely due to lack of knowledge, negligence or simply human nature. Moreover, Sony Pictures Entertainment’s data breach has demonstrated that employees’ own sensitive information is also at stake. Therefore, it is as much the employees’ responsibility to protect sensitive information as it is the employer’s duty to educate employees about cyber security and what it means for the organisation.

The implementation of an information security management system as defined by the ISO27001 standard can support the development of an integral staff awareness programme as well as other activities necessary for the improvement of the information security within an organisation.

Security awareness training can deliver quick returns by raising employee awareness of information security best practice as well as cyber threats. It is not only fundamental for effective information security management within an organisation, but also helps meet specific requirements mandated by ISO27001, the Data Protection Act (DPA) and the PCI DSS.

Employee phishing vulnerability assessment

With the growth of malware, increased usage of social media and mobile apps, and the proliferation of phishing attacks, the cyber security challenges that organisations face are becoming tremendous.

With this in mind, educating employees does not provide the full answer to the problem of the human factor. Organisations have to become more creative and sophisticated; they should test employee knowledge, identify weaknesses and make improvements.

Conducting a comprehensive employee phishing vulnerability assessment, for example, will identify potential vulnerabilities among employees and provide recommendations to improve your security, providing an organisation with a broad understanding of the risks associated with staff, and how these risks can be addressed.

Access control management

A report from Ponemon Institute for Varonis (Corporate Data: A Protected Asset or a Ticking Time Bomb?) revealed that 71% of employees have access to data they shouldn’t see. 54% of the end users said they access such data frequently or very frequently, while 80% of the IT professionals surveyed said their organisation doesn’t enforce a strict least-privilege data model.

ISO27001 is the best solution to tackle the problem with unauthorised access – the Standard provides comprehensive guidance on access control management including user registration, privilege management, user password management and more.

About The Author

One Response

But – why is it so?
Simple – “discretionary access control (DAC)”, the obsolete access control architecture from the mainframe era, is the REAL problem. Simple, with a “flexible mandatory access control (FMAC)” or equivalent systems an employees “profile”, coupled with the detailed “profiles” of all system/ enterprise programs and data sets means that any attempt, deliberate or accidental, can only damage the structures allied to that profile – no access to “super-user” / admin privileges, etc. We knew all this 30 years ago with the final publication of the USA’s “Orange Book” in Dec 1985 and then the UK’s ITSEC later that decade!

So – simple – any server system requiring proper, modern, “now” security has to be built around hardened systems such as RHEL 6 with SELinux activated and “Common Criteria” / IS 15408 evaluation, etc. (Remember that – this is the only internationally accepted system for users to be able to assess the security status of a computer product / system and EAL4 has to be the BASE acceptable evaluation level. Shame it gets practically no acknowledgement in the IS 27000 series since after all, it is impossible to do real ICT risk assessment without having full understanding and trust in the supply chain! Even IS 27000 talks about “privilege” management as if the only ICT systems available are DAC based BUT…BUT…. all IT systems are NOT the same.)

The problem – STOP BLAMING THE USER – look at the chosen system hardware/software, the supply chain and the associated access control structures (DAc vs MAC vs FMAC, etc.) specified at procurement time – not added later!

Social Media

Write for us

IT Governance is looking to publish relevant, well-written, informative and original articles. If you have an article that meets these criteria,
then please send it in.